Court papers identify JC Penney as hacking victim

JC Penney Co Inc was one of the victims of notorious computer hacker Albert Gonzalez, according to unsealed documents made available on Monday by a federal judge in Boston.

Penney, which during Gonzalez' trial had asked the U.S. District Court for the District of Massachusetts to bar the government from disclosing its identity, was revealed in the documents to be the company that had been known throughout the trial as Company A.

Gonzalez, a 28-year-old from Miami, was sentenced to 20 years in prison last week for leading a ring that stole more than 40 million payment card numbers by breaking into retailers systems, including TJX Cos Inc, BJ's Wholesale Club Inc and Barnes & Noble.

Discount retailer Target Co said in December it was among Gonzalez' victims, but only an extremely limited number of payment card numbers were stolen.

When asked for comment, a spokeswoman for Penney referred to arguments filed by the company's lawyers on December 24, 2010.

Penney's lawyers argued that U.S. attorneys in New Jersey, where the Gonzalez case originated, had agreed to keep Penney's identity a secret because the U.S. government had not found that any Penney customer data had been stolen during a computer attack in 2007.

Penney's counsel said the U.S. government has reversed course and abrogated the agreement reached in New Jersey and asked that the U.S. attorneys' colleagues in Massachusetts abide by that earlier agreement.

U.S. attorneys in Massachusetts acknowledged that the Secret Service had no evidence to confirm that any credit card data had been stolen but countered that disclosing Penney's identity was in the public interest.

J.C. Penney was, as it claims, a secondary victim, but that does not entitle it to hide from the primary victims the facts enabling them to understand and assess the risks to which they were exposed, Assistant U.S. Attorney Stephen Heymann wrote in a document dated December 29, 2009.

Separately, specialty retailer Wet Seal Inc confirmed earlier on Monday it had been a victim of Gonzalez' credit card data theft ring, but said its internal investigations had found no evidence any customer credit or debit card information had been stolen.

On Friday, the StorefrontBacktalk blog identified Penney and Wet Seal as two victims of the hacking ring, citing the unsealed court documents.

The case is United States of America v Albert Gonzalez, No. 09-10382, U.S. District Court, Boston.